In a clash between
the authoritarian state and the libertarian vision, the Clinton
administration is seeking draconian control of computers and encryption.

Virginia's
soft-spoken four-term Republican congressman, Rep. Bob Goodlatte, may
come out of a no-nonsense town in the Blue Ridge, but he has taken on
virtually the entire defense establishment, the intelligence community
and even the FBI with his bill HR850, the Security and Freedom through
Encryption Act, or SAFE. It is a simple concept, and it has 258
cosponsors in the House. What SAFE would do is guarantee every American
the freedom to use any type of cryptography anywhere in the world and
allow the sale of any type of encryption domestically. Not such a big
deal, is it? How many Americans go around writing secret messages in
disappearing ink after they grow up?

. . . . Actually,
it is one of those edge-defying, generation-splitting,
turn-the-world-upside-down moments in history. It is a struggle between
two different visions of American society. One side sees the private
use of encryption as a way to safeguard the records and property of
U.S. citizens from the prying eyes of computer hackers, thieves,
terrorists and the U.S. government. The other side is the U.S.
government, which sees itself as the guarantor of security in the newly
discovered land of cyberspace. And to provide that security the
government says it has to have the power, at any given moment, to look
into anyone's e-mail, bank accounts, financial transactions,
information exports and dangerous ideas. Our whole practice of
governing is based on geographic concepts -- jurisdiction in delineated
districts, authority flowing from citizens voting by precinct, taxes
based on property in a given place or on salaries reported to and
scrutinized by powerful agencies.

. . . . But
the Internet is everywhere and nowhere. If people slip into cyberspace
covered in the stealth garment of encryption to perform transactions,
express their ideas, transfer payments and export technology, who's to
know what is happening? How will taxes be assessed and collected? How
will commerce be measured? How will the professions be regulated if
everyone has access to legal or medical information? What will
bureaucrats do without people to boss around? How will ideas be
controlled? For those who believe that strong government should be the
molder and protector of its citizens -- well then, citizens acting
behind the cloak of encryption could be a fundamental threat to
government. They are enemies of the state.

. . . . Encryption
has been around since the earliest times. Elizabethan poets and spies
were versed in "cypher." Samuel Pepys wrote his famous diaries in
cypher to hide his accounts of his dalliances. William Byrd of Westover
wrote the first major literary work in North America -- his diaries --
in his own code. Thomas Jefferson and his protégé, James Monroe,
corresponded in cypher and continually were complaining that the key
was mislaid or gone astray.

. . . . Modern
encryption is based on the use of a unique, private numeric "key" which
opens a "public key" that even may be published in the marketplace of
the Internet. The length of the string of numbers, or "bits," in the
private key determines how difficult it is to crack the code. The
Clinton administration has decreed that persons in the United States
can export encryption products that use up to 56 bits in the key's
algorithm; to export a longer and stronger product, the user must agree
to put the key "in escrow" where it can be subpoenaed by
law-enforcement authorities. But foreign users understandably do not
want to place their keys in escrow available to U.S. authorities. And
56-bit encryption is not as secure as the federal government has
claimed: In a recent test, a group of private computer experts with
desktop computers cracked the 56-bit code in less than 24 hours. More
secure 128-bit encryption is widely available around the world,
including the United States, but it is illegal to export any product
that uses it (see sidebar, below).

. . . . The
SAFE bill would modernize U.S. export controls to permit the export of
generally available software and create criminal penalties for the
knowing and willful use of encryption to conceal evidence of a crime,
but specifies that the use of encryption by itself is not probable
cause of a crime. "The reasons why they have insisted on those export
controls is to attempt to force the software industry to devise a
key-recovery or key-escrow system whereby everybody's computer has a
back door that law enforcement can access without their knowledge,"
Goodlatte tells Insight. American citizens "are not as secure as they
could be because encryption has not grown to the strength that it
should be to protect the actions of law-abiding citizens."

. . . . The
use of encryption by private individuals and business enterprises is a
good way to fight crime, Goodlatte believes, by stopping crime before
it happens. "Because encryption is already widely available,
[law-enforcement authorities] will still have a problem whether my bill
passes or not," he says. "Individuals bent on using encryption to cover
up their activities for criminal purposes can buy it from literally
hundreds of sources. To cite an adage that applies in another area: If
you outlaw encryption, only outlaws will have encryption." Indeed, a
recent study by the George Washington University School of Engineering
and Applied Science backs up Goodlatte. It found good encryption
programs available outside the United States on more than 800 Websites.

. . . . Of
course, robust encryption available to any citizen might thwart the
special vision of an administration that believes that government must
be the protector of its citizens.

. . . . It
may be a touch exaggerated, but many citizens feel like the eager young
criminal lawyer played by Will Smith last year in the movie Enemy of
the State. When Smith unknowingly comes into possession of evidence
that a secret federal agency is committing criminal acts, he finds
himself targeted in a bizarre night-and-day chase through streets,
markets and high-rise buildings -- all with the obligatory black
helicopters hovering overhead.

. . . . Dramatic
license aside, there are signs in that events are inching toward that
fantastic scenario. Most disturbing were the detailed revelations by a
panel of the European Parliament that the United Kingdom and the United
States, joined by Canada, Australia and New Zealand, have been engaged
in international surveillance of the communications of each other's
citizens for years in a joint signals-intelligence consortium
code-named ECHELON (see sidebar; for an earlier report, see news
alert!, Aug. 17, 1998). Although Attorney General Janet Reno and other
officials assert that encryption must be controlled to stop terrorists
and child pornography -- two powerful, but demagogic arguments -- it
appears the real reasons lie elsewhere. After all, as Reno admits,
international terrorist Osama bin Laden already has cryptography and
child pornographers are best caught the old-fashioned way: by baiting
them into their own trap. The fact is that routine use of strong
encryption by law-abiding citizens and enterprises would shut down
citizen-surveillance projects such as ECHELON.

. . . . The
battle to block widespread use of private encryption and to extend
government surveillance has emerged on many fronts in the last few
months:

The administration has put on a full-court press to
block the SAFE bill. Goodlatte and his 258 cosponsors are on one side;
on the other are the president, the secretaries of state and defense,
the directors of the CIA and FBI and the attorney general, who all have
risen up to attempt to defeat the legislation. And they have corralled
a few of the GOP's old bull elephants --including House Armed Services
Committee Chairman Floyd Spence of South Carolina and House Permanent
Select Intelligence Committee Chairman Porter Goss of Florida -- to run
interference on Capitol Hill. But HR850 safely has run the gauntlet of
three House committees in sequential referral -- Judiciary, Commerce
and International Relations. It ran aground, however, in Spence's and
Goss' panels. Both committees stood the bill on its head, adopting the
administration's position that SAFE would abet terrorists and child
pornographers. No matter. "They are, in effect, sending alternative
suggestions to the [House] Rules Committee; they don't amend my
language," says Goodlatte. Judiciary is the main committee of
jurisdiction, and its bill now is before the Rules Committee, chaired
by Rep. David Dreier of California, for possible action in September.
Sources in the Rules Committee tell Insight that the cards are being
held close to the chairman's vest, but Dreier happens to be a cosponsor
of the Goodlatte version.

The Justice Department has sought the "cooperation"
of private industry to exchange security data in eight areas of
"critical infrastructure," including telecommunications,
transportation, water supply, oil and gas production, banking and
finance, electrical generation, emergency services and essential
government. "The NIPC [National Infrastructure Protection Center] was
established to deter, detect, analyze, investigate and provide warnings
of cyberthreats and attacks on the critical infrastructures of the
United States, including illegal intrusions into government and
private-sector computer networks," Reno told the Senate Appropriations
Committee on Feb. 24. "NIPC will play a major role in the national plan
for cyberprotection functions." Reno went on to note that "the
administration is not currently seeking mandatory controls on
encryption, but instead is working with industry to find voluntary
solutions." But banking officials, for example, are extremely
experienced in detecting and preventing computer intrusions because of
the vast sums at stake. "It is difficult to imagine that a government
that can't even keep our top nuclear secrets safe could teach financial
institutions about security," a source close to the banking industry
tells Insight. Besides, the source says, banking officials, after
meeting NIPC, were appalled at the range of information the government
is seeking -- including detailed access and transaction codes of
customers.

The Justice Department has been planning to establish
the Federal Intrusion Detection Network, or FIDNET, which continually
would monitor the Internet for intrusions, at a cost of $1.5 billion.
According to a study by the Center for Democracy and Technology of a
restricted draft document, FIDNET would be an intrusion-detection
monitoring system for non-Defense Department government computers.
Intrusion-detection monitors installed on individual systems or
networks would be "netted" so that an intruder or intrusion techniques
used at one site automatically will be known at all sites. But the
draft plan says that the goal is to have similar monitoring sensors
installed on private-sector information systems. As soon as the draft
document began circulating on Capitol Hill, the House Appropriations
Committee quietly axed the budget request for FIDNET on July 30.

On Aug. 5, President Clinton issued an executive
order setting up a "Working Group on Unlawful Conduct on the Internet."
The working group is to make a report on whether there are enough
federal laws to deal with unlawful conduct and whether new technology
and capabilities might be needed for effective investigation and
prosecution of unlawful conduct within the context of administration
policy which supports industry self-regulation "where possible."

The Justice Department, which has prosecuted and
threatened prosecution against a number of nongovernment experts who
want to publish their encryption programs on the Internet, is appealing
the May 6 decision of the 9th U.S. Circuit Court of Appeals in
Bernstein v. U.S. Department of Justice that encryption is protected
speech under the First Amendment. Daniel Bernstein, a professor in the
Department of Mathematics, Statistics, and Computer Science at the
University of Illinois at Chicago, developed an encryption system that
he wanted to post on the Internet for discussion. The State and
Commerce departments ruled that to do so he would have to declare
himself an arms dealer and apply for an export license, which was
refused.

The FBI -- which was denied the right to require
cell-phone companies to install equipment that would give real-time
information to track the location of cell-phone users (even when the
instrument is on standby) in the 1994 Communications Assistance for Law
Enforcement Act -- has been working with the Federal Communications
Commission to establish standards which would do the same thing without
legislation. According to James X. Dempsey of the Center for Democracy
and Technology, "The FBI has sought a 100 percent solution -- a
comprehensive examination of the nation's evolving telephone systems
that would address all potential law-enforcement problems in a single
'standard' for use by switch manufacturers." In addition to location
tracking, he says, the FBI and industry have proposed "allowing
companies to deliver the entire packet data stream, including the
content of all communications, when law enforcement is entitled to
receive only dialing or signal information." In addition, the FBI is
attempting to collect all numbers dialed, "including credit-card and
bank-account." The FBI also is seeking an enormous increase in
capacity: the ability to tap one out of 1,000 phone lines in a given
locality at the same time, or the ability to monitor 74,250 phone lines
at once -- 10 times the number of surveillance orders in 1993.

U.S. Postmaster General William Henderson proposed on
May 17 that the Internet go postal. He wants the post office to become
the custodian of all e-mail addresses, mapping them to specific
geographic locations, as well as processing bill payments, purchase
transactions and being "the residential deliverer of choice for
purchases made on the Internet." Describing the post office as a
trusted third party, Henderson said, "We would own the physical address
and we would maintain it. All that information that . . . our customers
have developed around a physical address could now migrate through the
Internet and be a part of commerce."

. . . . "The
underlying belief is that American citizens really need to be policed,"
Shari Steel, director of legal services for the Electronic Frontiers
Foundation, tells Insight. "They are putting it on themselves to look
at every citizen. They are just willing to trample all over civil
liberties to find the isolated criminal. These issues are clearly
related to who has the right to make the decisions for all of us, the
right to make big societal decisions as to what's good for all of us.
Almost all of us online believe that citizens have the right to protect
our integrity. Really, technology gives us the solutions to protect out
autonomy."

A
Backdoor to Your PC

. . . . The
White House is seeking new legislation to allow law-enforcement agents
to enter the back door of anyone's computer without the owner being
aware. An Aug. 4 Department of Justice internal memo obtained by
Insight analyzes a proposed "Cyberspace Electronic Security Act of
1999," or CESA, which the department is planning to send to Capitol
Hill. CESA sets up a framework for protecting the stored recovery-key
system, or key escrow, which the computer industry steadfastly has
rejected -- thereby showing that the Clinton administration is
determined to win on this issue, despite overwhelming sentiment behind
HR850, Virginia Republican Rep. Bill Goodlatte's bill in the House. It
provides a way for law-enforcement agents to obtain recovery keys from
the keyholder and states that "there is no constitutionally protected
expectation of privacy in the plaintext [a term used by encryption
experts to denote an ordinary message in its original meaningful form]
of encrypted data" -- contrary to the recent ruling of the 9th U.S.
Circuit Court of Appeals in Bernstein v. DOJ that encryption is
constitutionally protected.

. . . . But
even if the key to encrypted text is not stored with a third party, the
government wants access. The memo notes, "In the pre-encryption world,
this problem did not arise." Therefore, it concludes, "the government
will need another way to obtain encryption keys," including "a search
warrant with the possibility of delayed notice," and "the alteration of
hardware or software that allows plaintext to be obtained even if
attempts were made to protect it with encryption."

. . . . According
to the Electronic Privacy Information Center, the White House plan
would enable federal and local law-enforcement agents secretly to break
into private premises and alter computer equipment to collect e-mail
messages and other electronic information. "It's really a little hard
to believe that they would be seriously proposing this," EPIC's
counsel, David Sobel, tells Insight. "This is beyond the wildest
imagination of the most paranoid people who have been following this
issue over the years -- it's one of the scariest proposals to come out
of government in a long time. This strikes at the heart of the Bill of
Rights."

Listen
Up, ECHELON

. . . . The
report prepared for the European Parliament by its Scientific and
Technological Options Assessment panel, or STOA, confirmed in April
that ECHELON's giant antennae distributed among the five countries
monitors all communications broadcast by satellite and microwave
relays, including voice and data streams. Submarine pods, attached to
undersea cable by induction coils, monitor the Internet and cable
traffic. Information is passed through so-called "dictionary" computers
that sort out the data by looking for keywords. The information "is
used to obtain sensitive data concerning individuals, governments and
trade and international organizations," says the STOA report, asserting
that the information is used not only for military intelligence but
also to promote commercial contracts. As usual, U.K and U.S. officials
have declined comment but, on May 23, Martin Brady, director of the
Australian Defense Signals Directorate, or DSD, in Canberra stated that
DSD "does cooperate with counterpart signals-intelligence organizations
overseas under the UK/USA relationship."

Encryption
as Protected Art

. . . . Encryption
is an essential part of the right to human expression protected under
the Constitution. Ironically, the Central Intelligence Agency, one of
the lead agencies attempting to limit the use of encryption, is the
home of a well-known artwork, Kryptos, the work of
Washington sculptor James Sanborn. The giant bronze piece has stood
like an upended parchment in a secret courtyard of the agency since the
1980s, covered with 865 characters arranged in rows. But the best
cryptographers at CIA have not yet cracked the code completely, though
the message is slowly yielding to efforts of top code breakers.